All govt agencies to take steps to safeguard personal data; measures to be in place in most systems by end-2021

  As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.
As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.PHOTO: THE NEW PAPER

SINGAPORE - Public agencies will collect and retain an individual's data only when it is strictly necessary while making sure it is properly safeguarded, as part of new measures that will be rolled out across the entire public service.

In case of a data incident involving ministries, statutory boards or other public agencies, anyone affected will have to be notified promptly.

A single contact point will also be established for the public to report data incidents as well.

An exercise that began eight months back following a spate of data breaches has culminated with a series of suggestions submitted to Prime Minister Lee Hsien Loong on improving data security.

The Government said on Wednesday (Nov 27) that it has accepted these recommendations from the Public Sector Data Security Review Committee (PSDSRC) and will be rolling them out in 80 per cent of its systems by end-2021.

The rest will be implemented by the end of 2023, as some government systems are more complex and will require significant redesign.

The committee was convened on March 31 this year and tasked with reviewing data security practices across the public sector and suggesting ways to improve it.

In a letter accepting the committee's recommendations, PM Lee said: "Data is the lifeblood of the digital economy and a digital government. We need to use and share data as fully as possible to provide better public services.

"In doing so, we must also protect the security of the data and preserve the privacy of individuals, and yet not stifle digital innovation."

As part of moves to improve the culture of safeguarding data, all public sector officers will have to go through an annual data security training programme.

 
 
 
 

Third-party vendors handling government data who misuse personal data will also come under the Personal Data Protection Act (PDPA), following amendments to the Act which will likely be announced next year.

This means that these agents of government, who were previously exempt from the PDPA, will be liable to its financial penalties of up to $1 million.

These steps come under five broad measures that aim to better protect data and stop it from being compromised; improve the detection of data incidents and the response to them; raise competencies in the public service with regard to data security; ensure accountability for data protection at every level of government; and make sure that data security is a sustained effort in the public service.

This includes the 13 technical measures that the committee announced in July, which outlined steps like encrypting sensitive files and hiding away highly sensitive information about individuals, such as their HIV status, in a separate system with tighter controls.

The Government will appoint the Digital Government Executive Committee as the body to oversee the data security across the entire public sector.

This existing committee, which is chaired by the Permanent Secretary of the Smart Nation and Digital Government Office, will also take charge of implementing the latest recommendations.

A new Government Data Security unit will also be set up in the Government Data Office to drive security efforts in the Government.

The PSDSRC was formed after a spate of cyber-security breaches over the past year.

In March, the personal data of more than 800,000 blood donors was accessed illegally and uploaded on an unauthorised server for more than two months. An HSA technology vendor, Secur Solutions Group, was found responsible for the incident.

 
 
 
 

And in Singapore's worst cyber attack that took place in June last year, hackers made away with the personal data of 1.5 million SingHealth patients and the outpatient prescription information of 160,000 people, including PM Lee.

Mr Lee said in his letter that given the amount of data the Government gathers, it must do all it can to minimise the risk of data security incidents and make sure that should such incidents occur, the harm they can do needs to be minimised.

"As the custodian of a vast amount of data, the Government takes this responsibility very seriously. We must do our utmost to minimise the risk of data breaches," he said.

"At the same time, when such breaches do occur, it is essential that we detect them quickly, and respond effectively to limit the breach and minimise the harm done."

At a press conference on Wednesday, Senior Minister Teo Chee Hean, who chaired the committee, said that had these measures been in place earlier, the impact of the breaches would have been less severe.

"The Committee checked and satisfied itself that the recommended measures would have prevented or minimised the impact of the past data incidents in the public and public healthcare sector," he said.

In course of its work, the committee carried out detailed inspections of 336 systems in all 94 government agencies.

It also studied the best data security practices in countries like Canada and the United Kingdom and in sectors such as finance and health.

"These measures will significantly enhance safeguards and hold officers to account. They are compatible to international and industry best practices," said SM Teo.

"The public sector will also ensure that our data security efforts are not one-off, but sustained and continue to evolve to address future challenges."